1. Field of the Invention
The present invention is related to methods of protection against malware and, in particular, to identification and removal of malware components and to providing an anti-virus system for curing infected computer systems.
2. Description of the Related Art
Detection of viruses and malware has been a concern throughout the era of the personal computer. With the growth of communication networks such as the Internet and increasing interchange of data, including the rapid growth in the use of e-mail for communications, the infection of computers and networks through communications or file exchanges is an increasingly significant consideration. Infections take various forms, but are typically related to computer viruses, Trojan programs, or other forms of malicious code (i.e., malware).
Recent incidents of e-mail mediated virus attacks have been dramatic both for the speed of propagation and for the extent of damage, with Internet service providers (ISPs) and companies suffering service problems and a loss of e-mail and networking capability. In many instances, attempts to adequately prevent file exchange or e-mail mediated infections significantly inconvenience computer users. Improved strategies for detecting and removing malware components from the computer systems are desired.
Conventional anti-virus (AV) systems are part of an operating system. Anti-virus applications are typically installed on computer system OS. The AV applications use two methods for accomplishing their tasks: scanning files for known viruses, and detecting suspicious application behavior resembling behavior patterns of the infected applications. Since most of the malware components are written on a hard drive, scanning of the hard drives is essential.
One conventional approach to detecting viruses is signature scanning Signature scanning systems use sample code patterns extracted from known malware code and scan for the occurrence of these patterns in other program code. A primary limitation of the signature scanning method is that only known malicious code is detected, that is, only code that matches the stored sample signatures of known malicious code is identified as being infected. All viruses or malicious code not previously identified, and all viruses or malicious code created after the last update to the signature database, will not be detected.
In addition, the signature analysis technique fails to identify the presence of a virus if the signature is not aligned in the code in the expected fashion. Alternatively, the authors of a virus may obscure the identity of the virus by opcode substitution or by inserting dummy or random code into virus functions. Nonsense code can be inserted that alters the signature of the virus to a sufficient extent as to be undetectable by a signature scanning program, without diminishing the ability of the virus to propagate and deliver its payload.
Another virus detection strategy is integrity checking Integrity checking systems extract a code sample from known, benign application program code. The code sample is stored, together with information from the program file, such as the executable program header and the file length, as well as the date and the time stamp of the sample. The program file is checked at regular intervals against this database to ensure that the program file has not been modified.
An effective conventional approach uses so-called white lists the lists of known “clean” software components, links, libraries and other clean objects. In order to compare a suspect object against the white list, hash values can be used. The use of hashes is disclosed, for example, in WO/2007066333 where the white list consists of hashes of known clean applications. In WO/2007066333, checksums are calculated and compared against the known checksums.
Conventional AV applications use operating memory and processor resources in the same manner as other applications (including malware applications). The AV applications installed in the OS have both administrative and user rights. However, some of the malware components have the same rights. Therefore, the AV application, having equal rights with a malware component, cannot remove some of the malware components.
A primary example of such malware components are “rootkits.” The term “rootkit” refers to a number of utilities or special modules of the OS core that are installed by an intruder on a hacked computer system upon acquiring administrative rights. This set of installed utilities typically includes a number of functions for hiding any signs of hacking the system. The rootkit allows the intruder to settle inside the system and hide his files, processes, and signs of the rootkit presence in the system.
Thus, the rootkit can not only hide from the users, but can be effectively hidden from the AV applications as well. There is a probability of the rootkit gaining more privileged rights than an AV application and damaging the AV or diminishing its effectiveness.
Anti-virus systems can be implemented as firmware-type network filters. For example, gatekeepers such as Card Pro and Pico are provided by Yoggie Inc. The gatekeepers have their own CPU and memory. However, the gatekeepers do not provide any protection against rootkits, as they serve only as filters of incoming network traffic.
A filtering method used in gatekeepers works only at data representation level using OSI model. However, this model does not protect from rootkits that are already present on data storage. Thus, data storage needs to be periodically scanned for rootkits and other malware.
A number of conventional methods for fighting the rootkits exist, but there is no method that can guarantee full rootkit removal from the system.
A conventional AV application has to be installed on the OS. This creates a problem of loading system resources during execution of the AV applications, since the AV application uses common system resources. Therefore, there is a need for an AV system that can completely remove the malware components such as rootkits, while avoiding rights and access issues, and that does not utilize computer system resources.